The Day After Mirai: A Survey on MQTT Security Solutions After the Largest Cyber-attack Carried Out through an Army of IoT Devices

Giovanni Perrone, Massimo Vecchio, Riccardo Pecori, Raffaele Giaffreda

Abstract

Recent news of massive Distributed Denial of Service (DDoS) attacks being carried out using thousands of Internet of Things (IoT) devices transformed into attack bots are nothing else than a wake-up call for all the actors having a role on the IoT stage. The need to define and establish, as quickly as possible, viable security standards able to cope with the heterogeneous requirements arising from the IoT world is urgent, now more than ever. Maybe even before that, the dissemination of basic knowledge connected with the culture of IT security seems to play a major role in the overall security balance for IoT. Since it is more likely that systems using lightweight devices can be more vulnerable to security attacks, in this paper we start with analyzing MQTT, a message-based communication protocol explicitly designed having low-end devices in mind. After that, we move on to describe some of the security solutions and improvements typically suggested and implemented in real-life deployments of MQTT. Finally, we conclude this paper with a concise, though not exhaustive, survey on some of the most promising research topics in the IoT security area.

References

  1. Apollo (2016). Apache ActiveMQ Apollo homepage. available: http://activemq.apache.org/apollo/. accessed: March 21, 2017.
  2. Artemis (2016). Apache ActiveMQ Artemis homepage. available: http://activemq.apache.org/artemis/. accessed: March 21, 2017.
  3. Bethencourt, J., Sahai, A., and Waters, B. (2007). Ciphertext-policy attribute-based encryption. In 2007 IEEE symposium on security and privacy (SP'07), pages 321-334. IEEE.
  4. Chase, M. (2007). Multi-authority Attribute Based Encryption. In Proceedings of the 4th Conference on Theory of Cryptography, TCC'07, pages 515-534, Berlin, Heidelberg. Springer-Verlag.
  5. CORDIS (2016). CORDIS: Community Research and Development Information Service. available: http://cordis.europa.eu/. accessed: March 21, 2017.
  6. DC24 (2016). The DEFCON homepage. available: http://www.defcon.org/.
  7. EMQTT (2016). EMQTT homepage. available: http://emqtt.io/. accessed: March 21, 2017.
  8. Ericsson (2016). Ericsson Mobility Report. available: http://www.ericsson.com/res/docs/2016/ericssonmobility-report-2016.pdf. accessed: March 21, 2017.
  9. Espinosa-Aranda, J. L., Vallez, N., Sanchez-Bueno, C., Aguado-Araujo, D., Bueno, G., and Deniz, O. (2015). Pulga, a tiny open-source MQTT broker for flexible and secure IoT deployments. In 2015 IEEE Conference on Communications and Network Security (CNS), pages 690-694.
  10. Lesjak, C., Hein, D., Hofmann, M., Maritsch, M., Aldrian, A., Priller, P., Ebner, T., Ruprechter, T., and Pregartner, G. (2015). Securing smart maintenance services: Hardware-security and TLS for MQTT. In 2015 IEEE 13th International Conference on Industrial Informatics (INDIN), pages 1243-1250.
  11. Mosquitto (2016). Mosquitto homepage. available: http://mosquitto.org/. accessed: March 21, 2017.
  12. Neisse, R., Steri, G., Fovino, I. N., and Baldini, G. (2015). SecKit: A Model-based Security Toolkit for the Internet of Things. Computers & Security, 54:60-76.
  13. Oasis (2014). MQTT Version 3.1.1 Specifications. available: http://docs.oasisopen.org/mqtt/mqtt/v3.1.1/os/mqtt-v3.1.1-os.html. accessed: March 21, 2017.
  14. Rizzardi, A., Sicari, S., Miorandi, D., and Coen-Porisini, A. (2016). AUPS: An Open Source AUthenticated Publish/Subscribe system for the Internet of Things. Information Systems, 62:29-41.
  15. Ross, R., McEvilley, M., and Carrier Oren, J. (2016). NIST Special Publication 800-160: Systems Security Engineering Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. available: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/ NIST.SP.800-160.pdf. accessed: March 21, 2017.
  16. Sahai, A. and Waters, B. (2005). Fuzzy identity-based encryption. In Annual International Conference on the Theory and Applications of Cryptographic Techniques, pages 457-473.
  17. Sheffer, Y., Holz, R., and Saint-Andre, P. (2015). Summarizing Known Attacks on Transport Layer Security (TLS) and Datagram TLS (DTLS). Internet Engineering Task Force (IETF), Request for Comments: 7457.
  18. Sicari, S., Rizzardi, A., Grieco, L., and Coen-Porisini, A. (2015). Security, privacy and trust in Internet of Things: The road ahead. Computer Networks, 76:146-164.
  19. Singh, M., Rajan, M., Shivraj, V., and Balamuralidhar, P. (2015). Secure MQTT for Internet of Things (IoT). In 2015 5th International Conference on Communication Systems and Network Technologies, pages 746-751.
  20. US-CERT (2016). Alert (TA16-288A): Heightened DDoS Threat Posed by Mirai and Other Botnets. available: http://www.us-cert.gov/ncas/alerts/TA16-288A. accessed: March 21, 2017.
  21. Weber, R. (2010). Internet of Things-New security and privacy challenges. Computer Law & Security Review, 26(1):23-30.
Download


Paper Citation


in Harvard Style

Perrone G., Vecchio M., Pecori R. and Giaffreda R. (2017). The Day After Mirai: A Survey on MQTT Security Solutions After the Largest Cyber-attack Carried Out through an Army of IoT Devices . In Proceedings of the 2nd International Conference on Internet of Things, Big Data and Security - Volume 1: IoTBDS, ISBN 978-989-758-245-5, pages 246-253. DOI: 10.5220/0006287302460253


in Bibtex Style

@conference{iotbds17,
author={Giovanni Perrone and Massimo Vecchio and Riccardo Pecori and Raffaele Giaffreda},
title={The Day After Mirai: A Survey on MQTT Security Solutions After the Largest Cyber-attack Carried Out through an Army of IoT Devices},
booktitle={Proceedings of the 2nd International Conference on Internet of Things, Big Data and Security - Volume 1: IoTBDS,},
year={2017},
pages={246-253},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0006287302460253},
isbn={978-989-758-245-5},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 2nd International Conference on Internet of Things, Big Data and Security - Volume 1: IoTBDS,
TI - The Day After Mirai: A Survey on MQTT Security Solutions After the Largest Cyber-attack Carried Out through an Army of IoT Devices
SN - 978-989-758-245-5
AU - Perrone G.
AU - Vecchio M.
AU - Pecori R.
AU - Giaffreda R.
PY - 2017
SP - 246
EP - 253
DO - 10.5220/0006287302460253